Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Download topic as PDF

Splunk Cloud data policies

Splunk Cloud administers your data according to the policies described below.

Data retention

When you send data to Splunk Cloud, it is stored in indexes. Splunk Cloud retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired deletion policy.

Each index uses two settings to determine when to delete data:

  • The maximum size of the index (specified in the Max data size (GB) field on the Indexes page)
  • The maximum age of events in the index (specified in the Retention (days) field on the Indexes page)

When the index reaches the specified maximum size or events reach the specified maximum age, the oldest data is deleted.

For example, suppose the maximum size of the index is set to 100 GB, and the maximum age of events in the index is set to 15 days. If you send 100 GB every day, then data will never be more than one day old, because every day the index reaches its maximum size and the oldest data is deleted. However, if you send only 1 GB every day, the index never reaches its maximum size, so deletion is controlled by the maximum age. Data is never more than 15 days old and the size of the index remains around 15 GB.

Index data is stored in directories called buckets. Data is deleted by deleting entire buckets, not individual events. Buckets have their own settings that limit their size and the age of events in them. A bucket is not deleted until every event in the bucket meets the deletion settings for the index.

For example, suppose the maximum size of the index is set to 10 GB and the maximum age of events in the bucket is set to 15 days. If you send 1 GB every day to that bucket, then on day 10 the bucket reaches its size limit, and only then are the index settings for deletion respected. If the maximum size of the index is set to 1 GB, the bucket still grows to 10 GB, at which point the bucket is closed and the index retention settings are applied. Because the index exceeds its limit of 1 GB, the 10 GB bucket is deleted.

Because of this logic, you cannot guarantee that data is deleted on a precise schedule by default. If you require data to be deleted on a precise schedule, contact Splunk Technical Support to discuss the options.

Data ingestion and daily license usage

Your Splunk Cloud license governs how much data you can load into your Splunk Cloud deployment per day (GMT). To see current and past daily data ingestion information in Splunk Web, use the Monitoring Console app. To do this, choose Apps, click Cloud Monitoring Console and navigate to the License Usage page. Splunk recommends you set up alerts in the system to monitor your license usage.

You can exceed your purchased daily index volume a maximum of five times in a calendar month. If you exceed your daily limit more than five times in a calendar month, what happens depends on the type of Splunk Cloud deployment you have, as follows:

  • Managed Splunk Cloud: Your Splunk sales representative may work with you to help you reduce your usage to stay within the purchased limit or to purchase the necessary increase. If you are unable or unwilling to abide by the applicable usage limit, you will pay any invoice for excess usage in accordance with your Terms of Service.
  • Self-service Splunk Cloud deployments: Your Splunk Cloud instance is locked. You can reset a locked instance three times in a 90-day period. To reset a locked instance, go to your Splunk customer portal and click the Unlock License button. To unlock your instance, your Splunk user must have administrator and instance owner level privilege.

If you consistently exceed your licensed limit, contact Splunk Sales to do a benchmark assessment to determine your volume needs and purchase an appropriate plan to handle your volume.

Overview of Splunk Cloud administration
Monitor Splunk Cloud deployment health

This documentation applies to the following versions of Splunk Cloud: 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters